Closed thumpco closed 5 months ago
Not the case. If you think it's good to have tls report parser - it should be dedicated project. Mailcow should not include such analytics tool, it greatly impact stack and not much needed because mailcow not have problems with tls ;) - all your reports will be always "green"
If people would need it - they can setup dedicated project, but not have it a part of big salt pan. Sapt pans projects that tries to cover anything no matter what price end up badly. They looks and works as Frankenstein, hardly understandable and badly maintained.
There is parsedmarc Project available that parse email reports for dmarc and there is a FR to support tls reports parsing, look there please. Deveoper now working on Implementation and requested to help with testing.
Also people can decide to use SaaS to analyze such reports.
I'm not requesting to receive, parse or analyze the TLS reports. Simply requesting to send the reports the same as mailcow already does for sending DMARC reporting.
This would be similar to mailcow's DMARC Reporting, except for TLS Reports: https://docs.mailcow.email/post_installation/firststeps-dmarc_reporting/
@dragoangel "mailcow not have problems with tls ;) - all your reports will be always "green.."
Similar to mailcow DMARC reporting, TLS reporting is to notify the admin of the initiating server that they have a problem with their senders that needs addressed. Not indicating a problem with mailcow.
@DerLinkman had asked I submit this as an enhancement request here: https://github.com/mailcow/mailcow-dockerized/issues/5582#issuecomment-1854764676
This would be similar to mailcow's DMARC Reporting, except for TLS Reports: https://docs.mailcow.email/post_installation/firststeps-dmarc_reporting/
Dmark reporting done by rspamd out of the box, so mailcow just say you how to get it.
To send tlsa reports postfix should have such module to analyze and store tls results for both mta-sts and dane, this not possible due to how postfix done, so mailcow can't help here.
Understood @dragoangel. Thank you.
Summary
Request to add TLS Reporting functionality per RFC: https://www.rfc-editor.org/rfc/rfc8460.html
This would allow mailcow to provide TLS Reports (similar to DMARC Reports) per the above RFC.
From what I can tell this would require:
1) Mailcow to support separate/multiple dkim selectors for the domain sending/signing the outbound TLS Reports. Per RFC, it appears the outbound TLS reports should be signed by a dkim key with the service type declaration, "s=tlsrpt" (vs "s=email" as used by mailcow). It's unclear to me if "s=*" would suffice or if multiple service types can be listed for a single dkim key (as an alternative to multiple dkim selectors/keys). https://www.rfc-editor.org/rfc/rfc8460.html#page-6
2) Mailcow to support URI POST reporting mechanism (required alternative to SMTP reporting per RFC)
3) Mailcow to ignore TLS errors for the reporting session and exempt the reporting email from the report itself.
4) Mailcow to generate TLS report content.
Motivation
Provide compliance with latest RFC standards being implemented for DANE compliant email servers.
Additional context
No response